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Abstract. A recent result has shown that reachability in two-clock 
timed automata is log-space equivalent to reachability in bounded one- 
counter automata [6] . We show that reachability in bounded one-counter 
automata is PSPACE-complete. 



1 Introduction 

Timed automata [1] arc a successful and widely used formalism, which are used in 
the analysis and verification of real time systems. A timed automaton is a non- 
deterministic finite automaton that is equipped with a number of real-valued 
clocks, which allow the automaton to measure the passage of time. 

Perhaps the most fundamental problem for timed automata is the reachability 
problem: given an initial state, can the automaton perform a sequence of transi- 
tions in order to reach a specified target state? In their seminal paper on timed 
automata [1], Alur and Dill showed that this problem is PSPACE-complete. To 
show hardness for PSPACE, their proof starts with a linear bounded automaton 
(LB A), which is a non-deterministic Turing machine with a fixed tape length n. 
They produce a timed automaton with 2n+ 1 clocks, and showed that the timed 
automaton can reach a specified state if and only if the LBA halts. 

However, the work of Alur and Dill did not address the case where the num- 
ber of clocks is small. This was rectified by Courcoubetis and Yannakakis [4], 
who showed that reachability in timed automata with only three clocks is still 
PSPACE-complete. Their proof cleverly encodes the tape of an LBA in a single 
clock, and then uses the two additional clocks to perform all necessary oper- 
ations on the encoded tape. In contrast to this, Laroussinie et al. have shown 
that reachability in one-clock timed automata is complete for NLOGSPACE, and 
therefore no more difficult than computing reachability in directed graphs [7] . 

The complexity of reachability in two-clock timed automata has been left 
open. The best known lower bound was given by Laroussinie et al., who gave 
a proof that the problem is NP-hard via a very natural reduction from subset- 
sum [7]. Moreover, the problem lies in PSPACE, because reachability in two-clock 
timed automata is obviously easier than reachability in three-clock timed au- 
tomata. However, the PSPACE-hardness proof of Courcoubetis and Yannakakis 
seems to fundamentally require three clocks, and does not naturally extend to 
the two-clock case. Naves [8] has shown that several extensions to two-clock 



timed automata lead to PSPACE-complcteness, but his work does not advance 
upon the NP-hard lower bound for unextended two-clock timed automata. 

In a recent paper, Haase et al. have shown a link between reachability in 
timed automata and reachability in bounded counter automata [6]. A bounded 
counter automaton is a non-deterministic finite automaton equipped with a set 
of counters, and the transitions of the automaton may add or subtract arbitrary 
integer constants to the counters. The state space of each counter is bounded 
by some natural number 6, so the counter may only take values in the range 
[0,6]. Moreover, transitions may only be taken if they do not increase or de- 
crease a counter beyond the allowable bounds. This gives these seemingly simple 
automata a surprising amount of power, because the bounds can be used to 
implement inequality tests against the counters. 

Haase et al. show that reachability in two-clock timed automata is log-space 
equivalent to reachability in bounded one-counter automata. Reachability in 
bounded one-counter automata has also been studied in the context of one-clock 
timed automata with energy constraints [2] , where it was shown that the problem 
lies in PSPACE, and is NP-hard. It has also been shown that the reachability 
problem for unbounded one-counter automata is NP-complete [5], but the NP 
containment proof does not seem to generalise to bounded one-counter automata. 

Our contribution. We show that satisfiability for quantified boolean formulas 
can be reduced, in polynomial time, to reachability in bounded one-counter 
automata. Hence, we show that reachability in bounded one-counter automata 
is PSPACE-complete, and therefore we resolve the complexity of reachability in 
two-clock timed automata. Our reduction uses two intermediate steps: subset- 
sum games and bounded counter-stack automata. 

Counter automata are naturally suited for solving subset-sum problems, so 
our reduction starts with a quantified version of subset-sum, which we call subset- 
sum games. One interpretation of satisfiability for quantified boolean formulas 
is to view the problem as a game between an existential player, and a universal 
player. The players take in turns to set their propositions to true or false, and 
the existential player wins if and only if the boolean formula is satisfied. Subset- 
sum games follow the same pattern, but apply it to subset-sum: the two players 
alternate in choosing numbers from sets, and the existential player wins if and 
only if the chosen numbers sum to a given target. Previous work by Travers can 
be applied to show that subset-sum games are PSPACE-complete [9]. 

We reduce subset-sum games to reachability in bounded one-counter au- 
tomata. However, we will not do this directly. Instead, we introduce bounded 
counter-stack automata, which are able to store multiple counters, but have a 
stack-like restriction on how these counters may be accessed. These automata 
are a convenient intermediate step, because having access to multiple counters 
makes it easier for us to implement subset-sum games. Moreover, the stack based 
restrictions means that it is relatively straightforward to to show that reacha- 
bility in bounded counter-stack automata is reducible, in polynomial time, to 
reachability in bounded one-counter automata, which completes our result. 



2 Bounded one-counter automata 

A bounded one-counter automaton has a single counter that can store values 
between and some bound b G N. The automaton may add or subtract values 
from the counter, so long as the bounds of and b are not overstepped. This can 
be used to test inequalities against the counter. For example, to test whether 
the counter is larger than some n G N, we first attempt to subtract n + 1 from 
the counter, then, if that works, we add n + 1 back to the counter. This creates 
a sequence of two transitions which can be taken if, and only if, the counter 
is greater than n. A similar construction can be given for less-than tests. For 
the sake of convenience, we will include explicit inequality testing in our formal 
definition, with the understanding that this is not actually necessary. 

We now give a formal definition. For two integers a, b G Z we define [a, b] = 
{neZ : a < n < b} to be the subset of integers between a and b. A bounded 
one-counter automaton is defined by a tuple (L, b, A, lo), where L is a finite set of 
locations, b G N is a global counter bound, A specifies the set of transitions, and 
lo G L is the initial location. Each transition in A has the form (l,p,gi,g2,l'), 
where I and I' are locations, p G [—b, b] specifics how the counter should be 
modified, and (71,52 € [0, b] give lower and upper guards for the counter. 

Each state of the automaton consists of a location I G L along with a counter 
value c. Thus, we define the set of states to be L x [0,6]. A transition ex- 
ists between a state (l,c) G S, and a state (l',c r ) G S if there is a transition 
(l,p, <7i, 32, 1') G A, where g\ < c < gi, and d = c + p. 

The reachability problem for bounded one-counter automaton is: starting at 
the state (lo, 0), can the automaton reach a specified target state (l t , c t )? It has 
been shown that the reachability problem for bounded one-counter automata is 
equivalent to the reachability problem for two-clock timed automata. 

Theorem 1 ([6]). Reachability in bounded one-counter automata is log-space 
equivalent to reachability in two- clock timed automata. 

3 Subset-sum games 

A subset-sum game is played between an existential player and a universal 
player. The game is specified by a pair (ip, T), where TeN, and ip is a list: 

V {A 1 ,B 1 }3{E 1 ,F 1 } ... V {A n ,B n }3{E ni F n }, 

where A i} B i} Ei, and Fj, are all natural numbers. 

The game is played in rounds. In the first round, the universal player chooses 
an element from {A\,Bi}, and the existential player responds by choosing an 
element from {E\,F{\. In the second round, the universal player chooses an 
element from {A 2} B2}, and existential player responds by choosing an element 
from {^2,^2}- This pattern repeats for rounds 3 through n. Thus, at the end 
of the game, the players will have constructed a sequence of numbers, and the 
existential player wins if and only if the sum of these numbers is T. 



Formally, the set of plays of the game is the set: 

l<j<n 

A play P G V is winning for the existential player if and only if ^ P — T. 

A strategy for the existential player is a list of functions s = (s\, S2, ■ ■ ■ , s n ), 
where each function Sj dictates how the existential player should play in the ith 
round of the game. Thus, each function Sj is of the form: 

s t : Yl {Aj,Bj} -> {Ei,Fi}. 

i<j<i 

This means that the function Sj maps the first i moves of the universal player 
to a decision for the existential player in the ith round. 

A play P conforms to a strategy s if the decisions made by the existential 
player in P always agree with s. More formally, for each i in the range 1 < i < n, 
we define = P C\\\ 1<rj<i {Aj , Bj} to be the first i moves made by the universal 
player. The play P conforms to a strategy s = (si, S2, . . . , Sfe) if Si(Fi) G P, for 
all i. Given a strategy s, we define the set of conforming plays to be Plays(s). 
Note that, since the universal player makes exactly n choices, the set Plays(s) 
contains exactly 2™ different plays. 

A strategy s is winning if every play P G Plays(s) is winning for the existential 
player. The subset-sum game problem is to decide, for a given SSG instance 
(ip,T), whether the existential player has a winning strategy for (ip,T). 

The SSG problem clearly lies in PSPACE, because it can be solved on a poly- 
nomial time alternating Turing machine. A quantified version of subset-sum has 
been shown to be PSPACE-hard, via a reduction from quantified boolean formu- 
las [9]. Since SSGs are essentially a quantified version of subset-sum, the proof 
of PSPACE-hardness easily carries over. See Appendix A for further details. 

Lemma 2. The subset-sum game problem is PSPACE-complete. 
4 Counter-Stack Automata 

Outline. In this section we ask: can we use a bounded one-counter automaton to 
store multiple counters? The answer is yes, but doing so forces an interesting set 
of restrictions on the way in which the counters are accessed. By the end of this 
section, we will have formalised these restrictions as counter-stack automata. 

Suppose that wc have a bounded-one counter automaton with counter c and 
bound b = 15. Hence, the width of the counter is 4 bits. Now suppose that we 
wish to store two 2-bit counters c\ and C2 in c. We can do this as follows: 

c = 1 1 

[ / 1 1 

C2 Cl 



We allocate the top two bits of c to store c 2 , and the bottom two bits to store c\. 
We can easily write to both counters: if we want to increment c 2 then we add 4 
to c, and if we want to increment c\ then we add 1 to c. 

However, if we want to test equality, then things become more interesting. 
It is easy to test equality against c 2 : if we want to test whether c 2 = 2, then 
we test whether 8 < c < 11 holds. But, we cannot easily test whether c\ = 2 
because we would have to test whether c is 2, 6, 10, or 14, and this list grows 
exponentially as the counters get wider. However, if we know that c 2 = 1, then 
we only need to test whether c = 6. Thus, we arrive at the following guiding 
principal: if you want to test equality against c,, then you must know the values 
of Cj for all j > i. Counter-stack automata are a formalisation of this principal. 

Counter-stack automata. A counter-stack automaton has a set of k distinct 
counters, which are referred to as c\ through c^. For our initial definitions, we 
will allow the counters to take all values from N, but we will later refine this by 
defining bounded counter-stack automata. The defining feature of a counter-stack 
automaton is that the counters are arranged in a stack-like fashion: 

— All counters may be increased at any time. 

— Ci may only be tested for equality if the values of Cj+i through are known. 

— Ci may only be reset if the values of Cj through are known. 

When the automaton increases a counter, it adds a specified number n G N 
to that counter. The automaton has the ability to perform equality tests against 
a counter, but the stack-based restrictions must be respected. An example of a 
valid equality test would be Ck = 3 A Cfc-i = 10, because c^-i — 10 only needs 
to be tested in the case where = 3 is known to hold. Conversely, the test 
c fe _! = 10 by itself is invalid, because it places no restrictions on the value of c fe . 

The automaton may also reset a counter, but the stack-based restrictions 
apply. Counter Cj may only be reset by a transition, if that transition tests 
equality against the values of through Cfe. For example, Ck~i may only be 
reset if the transition is guarded by a test of the form cu-i = n\ A Cfc_ 2 = n 2 . 

Formal definition. A counter-stack automaton is a tuple (L,C, A,l ), where 
L is a finite set of locations, C = [1, k] is a set of counter indexes, la G L is an 
initial state, and A specifies the transition relation. Each transition in A has the 
form (7, E, 7, R, I') where: 

— I, I' G L is a pair of locations, 

— E is a partial function from C to N which specifies the equality tests. If E{i) 
is defined for some i, then E(J) must be defined for all j G C with j > i. 

— I G N fe specifies the how the counters must be increased, 

— R C C specifies the set of counters that must be reset. It is required that 
E(r) is defined for every r G R. 

Each state of the automaton is a location annotated with values for each of 
the k counters. That is, the state space of the automaton is L x N fc . A state 
(I, ci, c 2 , . . . , Cfe) can transition to a state (l 1 , c[, c 2 , . . . , c' k ) if, and only if, there 
exists a transition (I, E, I, i?, I') G A, where the following conditions hold: 



— For every i for which E(i) is defined, we must have C{ = E(i). 

— For every i £ R, we must have c\ = 0. 

— For every i R, we must have c- = Cj + /j. 

A ran is a sequence of states So, Si, . . . , s n , where each Sj can transition to 
Sj+i. To solve the reachability problem for counter-stack automata, we must de- 
cide whether there is a run from (Iq, 0, 0, . . . , 0) to a target state (It, ti, t 2 , . . . , tfc). 

A counter-stack automaton is b-bounded, for some 6 G N, if it is impossible 
for the automaton to increase a counter beyond b. Formally, this condition re- 
quires that, for every state (/, Ci, c 2 , . . . , Cfe) that can be reached by a run from 
(7o, 0, 0, . . . , 0), we have a < b for all i. We say that a counter-stack automaton 
is bounded, if it is 6-bounded for some b 6 N. 

Simulation by a bounded one-counter automaton. A bounded counter- 
stack automaton is designed to be simulated by a bounded one-counter automa- 
ton. To do this, we follow the construction outlined at the start of this section: 
we split the bits of the counter c into k chunks, where each chunk represents one 
of the counters a. Note that the boundedness assumption is crucial, because 
otherwise incrementing Cj may overflow the allotted space, and inadvertently 
modify the value of Cj+i. See Appendix B for more details of the construction. 

Lemma 3. Reachability in bounded counter-stack automata is polynomial-time 
reducible to reachability in bounded one-counter automata. 

5 Outline Of The Construction 

Our goal is to show that reachability in bounded counter-stack automata is 
PSPACE-hard. To do this, we will show that subset-sum games can be solved 
by bounded counter-stack automata. In this section, we give an overview of our 
construction using the following two-round QSS game. 

( V {Ai,Bi} 3 {£i,iq} V {A 2 , B 2 } 3 {E 2 ,F 2 }, T). 

For brevity, we will refer to this instance as (ijj, T) for the rest of this section. 
The construction is split into two parts: the play gadget, and the reset gadget. 



ci + l,c 9 + Ai c 3 + l,c 9 + Bi C5 + l,c 9 +A 2 c 7 + l,c 9 + E 2 




C2 + 1, Cg + Bi c 4 + 1, eg + Fx c 6 + 1, eg + B 2 eg + 1, eg + F 2 



Fig. 1. The play gadget 

The play gadget. The play gadget is shown in Figure 1. The construction 
uses 9 counters. The locations are represented by circles, and the transitions are 



represented by edges. The annotations on the transitions describe the increments, 
resets, and equality tests: the notation Ci + n indicates that n is added to counter 
i, the notation R(ci) indicates that counter i is reset to 0, and the notation a = n 
indicates that the transition may only be taken when a = n is satisfied. 

This gadget allows the automaton to implement a play of the SSG. The 
locations u\ and u 2 allow the automaton to choose the first and second moves of 
the universal player, while the locations e\ and e 2 allow the automaton to choose 
the first and second moves for the existential player. As the play is constructed, 
a running total is stored in eg, which is the top counter on the stack. The final 
transition between w\ and w 2 checks whether the existential player wins the 
play, and then resets eg. Thus, the set of runs between u\ and w 2 corresponds 
precisely to the set of plays won by the existential player in the SSG. 

In addition to this, each outgoing transition from Ui or comes equipped 
with its own counter. This counter is incremented if and only if the corresponding 
edge is used during the play, and this allows us to check precisely which play was 
chosen. These counters will be used by the reset gadget. The idea behind our 
construction is to force the automaton to pass through the play gadget multiple 
times. Each time we pass through the play gadget, we will check a different play, 
and our goal is to check a set of plays that verify whether the existential player 
has a winning strategy for the SSG. 

Which plays should be checked? In our example, we must check four plays. 
The format of these plays is shown in Table 1. 



Play 


Ml 


ei 


U2 


e 2 


1 


Ai 


E x or Fi 


A 2 


E 2 or F 2 


2 


Ai 


Unchanged 


B 2 


E 2 or F 2 


3 


Si 


Ei or Fi 


A 2 


E 2 or F 2 


4 


Si 


Unchanged 


B 2 


E 2 or F 2 



Table 1. The set of plays that the automaton will check. 

The table shows four different plays, which cover every possible strategy 
choice of the universal player. Clearly, if the existential player does have a win- 
ning strategy, then that strategy should be able to win against all strategy 
choices of the universal player. The plays are given in a very particular order: 
the first two plays contain A\, while the second two plays contain B\. Moreover, 
we always check A 2 , before moving on to B 2 . 

We want to force the decisions made at ei and e 2 to form a coherent strategy 
for the existential player. In this game, a strategy for the existential player is 
a pair s = (si,s 2 ), where Sj describes the move that should be made at e*. It 
is critical to note that si only knows whether A\ or B\ was chosen at u\. This 
restriction is shown in the table: the automaton may choose freely between E\ 
and Fi in the first play. However, in the second play, the automaton must make 
the same choice as it did in the first play. The same relationship holds between 
the third and fourth plays. These restrictions ensure that the plays shown in 
Table 1 are a description of a strategy for the existential player. 







Fig. 2. The reset gadget 



The reset gadget. The reset gadget, shown in Figure 2, enforces the constraints 
shown in Table 1. The locations w 2 and u\ represent the same locations as they 
did in Figure 1. To simplify the diagram, we have only included meaningful 
equality tests. Whenever we omit a required equality test, it should be assumed 
that the counter is 0. For example, the outgoing transitions from r 2 implicitly 
include the requirement that C7, cs, and eg are all 0. 

We consider the following reachability problem: can (t, 0, 0, . . . , 0) be reached 
from (ui, 0,0,..., 0)? The structure of the reset gadget places restrictions on the 
runs that reach t. All such runs pass through the reset gadget exactly four times, 
and the following table describes each pass: 



To see why these paths must be taken, observe that, for every i G {1,3}, each 
pass through the play gadget increments either c, or Cj+i, but not both. This 
means that the first time that we arrive at r 2 , we must take the transition directly 
to u\ , because the guard on the transition to r[ cannot possibly be satisfied after 
a single pass through the play gadget. When we arrive at r 2 on the second pass, 
we are forced to take the transition to r[, because we cannot have C5 = 1 and 
C6 = after two passes through the play gadget. This transition resets both C5 
and C6, so the pattern can repeat again on the third and fourth visits to r 2 . The 
location n behaves in the same way as r 2 , but the equality tests are scaled up, 
because n is only visited on every second pass through the reset gadget. 

We can now see that all strategies of the universal player must be considered. 
The transition between r 2 and u\ forces the play gadget to increment C5, and 



Pass 



Path 



1 

2 
3 
4 



u'2 -> r 2 -> r 2 — > Mi 

W2 — > r' 2 — > r 2 —¥ r[ — > n — > u\ 

W2 — > r' 2 — > r 2 — > u\ 

W2 — > r' 2 —¥ r 2 — > r[ — > n — > t 



therefore the first and third plays must include A 2 . Similarly, the transition 
between r 2 and r[ forces the second and fourth plays to include B 2 ■ Meanwhile, 
the transition between r\ and u\ forces the first and second plays to include A\, 
and the transition between r\ and t forces the third and fourth plays to include 
B\. Thus, we select the universal player strategies exactly as Table 1 prescribes. 

The transitions between r[ and r\ check that the existential player is playing 
a coherent strategy. When the automaton arrives at r[ during the second pass, it 
verifies that either E\ was included in the first and second plays, or that F\ was 
included in the first and second plays. If this is not the case, then the automaton 
gets stuck. The counters C3 and C4 are reset when moving to r\, which allows 
the same check to occur during the fourth pass. For the sake of completeness, we 
have included the transitions between r 2 and r 2l which perform the same check 
for E 2 and F 2 . However, since the existential player is allowed to change this 
decision on every pass, the automaton can never get stuck at r 2 . 

The end result is that location t can be reached if and only if the existential 
player has a winning strategy for (ip,T). As we will show in the next section, the 
construction extends to arbitrarily large SSGs, which then leads to a proof that 
reachability in counter-stack automata is PSPACE-hard. Note that all counters 
in this construction are bounded: c g is clearly bounded by the maximum value 
that can be achieved by a play of the SSG, and reset gadget ensures that no 
other counter may exceed 4. Thus, we will have completed our proof of PSPACE- 
hardness for bounded one-counter automata and two-clock timed automata. 



6 Formal Definition and Proof 

Sequential strategies for SSGs. We start by formalising the ideas behind 
Table 1. Recall that the table gives a strategy for the existential player in the 
form of a list of plays. Moreover, the table gave a very specific ordering in which 
these plays must appear. We now formalise this ordering. 

We start by dividing the integers in the interval [1,2™] into i-blocks. The 
1-blocks partition the interval into two equally sized blocks. The first 1-block 
consists of the range [l,2 n_1 ], and the second 1-block consists of the range 
j2«-! _|_ 1,2™]. There are four 2-blocks, which partition the 1-blocks into two 
equally sized sub-ranges. This pattern continues until we reach the n-blocks. 

Formally, for each i e {1,2,..., n}, then there are 2 l distinct i-blocks. The 
set of i-blocks can be generated by considering the intervals [k + 1 , k + 2 n ~ l ] for 
the first 2* numbers k > that satisfy k mod 2™~* = 0. An i-block is even if k 
is an even multiple of 2™ - *, and it is odd if k is an odd multiple of 2 n_ \ 

The ordering of the plays in Table 1 can be described using blocks. There 
are four 2-blocks, and A 2 appears only in even 2-blocks, while B 2 only appears 
in odd 2-blocks. Similarly, A\ only appears in the even 1-block, while B\ only 
appears in the odd 1-block. The restrictions on the existential player can also be 
described using blocks: the existential player's strategy may not change between 
Ei and Fj during a i-block. We generalise this idea in the following definition. 



Definition 4 (Sequential strategy). A sequential strategy for the existential 
player in (tp, T) is a list of 2™ plays S = P\, P2, . ■ . , iV , where for every i-block 
L we have: 

— If L is an even i-block, then Pj must contain Ai for all j G L. 

— If L is an odd i-block, then Pj must contain Bi for all j G L. 

— We either have Ei G Pj for all j G L, or we have Fi G Pj for all j G L. 

We say that S is winning for the existential player if ^Pj = T for every 
Pj G S. Since a sequential strategy is simply a strategy written in the form of a 
list, we have the following lemma. See Appendix C for further details. 

Lemma 5. The existential player has a winning strategy if and only if the ex- 
istential player has a sequential winning strategy. 

The base automaton. We describe the construction in two steps. Recall, from 
Figures 1 and 2, that the top counter is used by the play gadget to store the value 
of the play, and to test whether the play is winning. We begin by constructing 
a version of the automaton that omits the top counter. That is, if Cfc is the top 
counter, we modify the play gadget by removing all increases to and the 
equality test for Cfc between w\ and W2- We call this the base automaton. Later, 
we will add the constraints for Cfc back in, to construct the full automaton. 

We now give a formal definition of the base automaton. Throughout this 
definition, we keep consistency with the location and counter names used in 
Figures 1 and 2. For each natural number n, we define a counter-stack automaton 
A n as follows. The automaton has the following set of locations 

— For each i G [1, n] we have a location u% and a location ej. 

— We have two check states w\ and W2- 

— For each i € [l,re] we have two reset locations Vi and r\. 

— We have a goal location t. 

The automaton uses k = 2n + 1 counters. The top counter is reserved for 
the full automaton, and will not be used in this construction. We will identify 
counters 1 through 2n using the following shorthands. For each integer i, we 
define = c 4 ( i _ 1 ) +1 , we define bi = c 4 ( i _ 1 ) +2 , we define ei — C4(i_i) + 3, and we 
define fi = c i ( i _ 1 - )+i . Note that, in Figure 1, we have ai = c\ and a 2 = c 5 , and 
these are precisely the counters associated with A\ and A2, respectively. The 
same relationship holds between bi and Bi, and so on. 

The transitions of the automaton are defined as follows. Whenever we omit 
a required equality test against a counter a, it should be assumed that the 
transition includes the test Cj = 0. 

— Each location m has two transitions to ei. 

• A transition that adds 1 to ai. 

• A transition that adds 1 to bi. 

— We define u n+1 to be a shorthand for w\. Each location a has two transitions 
to u i+1 . 



• A transition that adds 1 to e^. 

• A transition that adds 1 to /j. 

— Location w\ has a transition to W2, and W2 has a transition to r' n . These 
transitions do not increase any counter, and do not test any equalities. 

— Each location r- has two outgoing transitions to rj. 

• A transition that tests ej = 2 n ~ t and fa = 0. 

• A transition that tests = and fi = 2™~\ 

— We define r' to be shorthand for location t. Each location has two outgoing 
transitions. 

• A transition to u\ that tests at = 2 n ~ l and bi = 0. 

• A transition to r-^ that tests cti — 2 n ~ % and bi — 2™~\ 

Runs in the base automaton. We now describe the set of runs are possible in 
the base automaton. We decompose every run of the automaton into segments, 
such that each segment contains a single pass through the play gadget. More 
formally, we decompose R into segments R\, R2, ■ ■ ■ , where each segment Ri 
starts at u\, and ends at the next visit to u\. We say that a run gets stuck 
if the run does not end at (i, 0, 0, ... ,0), and if the final state of the run has 
no outgoing transitions. We say that a run R gets stuck during an z-block L 
if there exists a j G L such that Rj gets stuck. The following lemma gives a 
characterisation of the runs in A n - See Appendix D for further details. 

Lemma 6. Let R be a run in A n . R does not get stuck if and only if, for every 
i-block L, all of the following hold. 

— If L is an even i-block, then Rj must increment a, for every j 6 L. 

— If L is an odd i-block, then Rj must increment bi for every j G L. 

— Either Rj increments for every j G L, or Rj increments fi for every 
j€L. 

We say that a run is successful if it eventually reaches (t, 0,0, . . . ,0). By 
definition, a run is successful if and only if it never gets stuck. Also, the transition 
from r\ to t ensures that every successful run must have exactly 2™ segments. 
With these facts in mind, if we compare Lemma 6 with Definition 4, then we 
can see that the set of successful runs in A n corresponds exactly to the set of 
sequential strategies for the existential player in the SSG. 

Since we eventually want to implement A n as a bounded one-counter au- 
tomaton, it is important to prove the A n is bounded. We do this in the following 
Lemma. See Appendix E for full details. 

Lemma 7. Along every run of A n we have that: 

— di and bi are bounded by 2™~ 4+1 ; and 

— ei and fi are bounded by 2 n ~ % . 



The full automaton. Let (ip,T) be an SSG instance, where tp is: 

V{i4i,Bi}3{£i,.Fi} ... V {A n ,B n }3{E n ,F n }. 

We will construct a counter-stack automaton A^ from A n . Recall that the top 
counter Ck is unused in A n . We modify the transitions of A n as follows. Let 5 
be a transition. If 8 increments a, then it also adds A, to Cfe, if 8 increments bi 
then it also adds Bi to Cfe, if 8 increments then it also adds i?j to c^, and if 5 
increments fi then it also adds Fj to c^. We also modify the transition between 
wi and w 2 , so that it checks whether Ck = T, and resets c^. 

Since we only add extra constraints to A n , the set of successful runs in A^ 
is contained in the set of successful runs of A n . Recall that the set of successful 
runs in A n encodes the set of sequential strategies for the existential player in 
(ip,T). In we simply check whether each play in the sequential strategy is 
winning for the existential player. Thus, we have shown the following lemma. 

Lemma 8. The set of successful runs in A^ corresponds precisely to the set of 
winning sequential strategies for the existential player in (tp,T). 

We also have that A$ is bounded. Counters c\ through Ck-i are bounded 
due to Lemma 7, and counter Ck is bounded by ^2{Ai, B i} E i} Fi : 1 < i < n}. 
This completes the reduction from subset-sum games to bounded counter-stack 
automata, and gives us our main theorem. 

Theorem 9. Reachability in bounded counter-stack automata is PSPACE-hard. 
Corollary 10. We have: 

— Reachability in bounded one- counter automata is P SPACE- complete. 

— Reachability in 2-clock timed automata is PS PACE- complete. 

References 

1. R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 
126(2):183-235, 1994. 

2. P. Bouyer, U. Fahrenberg, K. G. Larsen, N. Markey, and J. Srba. Infinite runs in 
weighted timed automata with energy constraints. In Proc. of FORMATS, pages 
33-47, 2008. 

3. T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algo- 
rithms, Third Edition. The MIT Press, 2009. 

4. C. Courcoubetis and M. Yannakakis. Minimum and maximum delay problems in 
real-time systems. Formal Methods in System Design, 1(4):385-415, 1992. 

5. C. Haase, S. Kreutzer, J. Ouaknine, and J. Worrell. Reachability in succinct and 
parametric one-counter automata. In Proc. of CONCUR, pages 369-383, 2009. 

6. C. Haase, J. Ouaknine, and J. Worrell. On the relationship between reachability 
problems in timed and counter automata. In Proc. of RP, pages 54-65, 2012. 

7. F. Laroussinie, N. Markey, and P. Schnoebelen. Model checking timed automata 
with one or two clocks. In Proc. of CONCUR, pages 387-401, 2004. 

8. G. Naves. Accessibilite dans les automates temporise a deux horloges. Rapport de 
Master, MPRI, Paris, France, 2006. 

9. S. Travers. The complexity of membership problems for circuits over sets of integers. 
Theoretical Computer Science, 369(13):211-229, 2006. 



A Proof of Lemma 2 



Outline. A quantified version of subset-sum has already been shown to be 
PSPACE-hard [9], and the proof easily carries over for the case of SSGs. For the 
sake of completeness, we provide a direct proof that SSGs are PSPACE-hard, 
which closely follows the ideas laid out in [9]. 

The proof follows the NP-hardncss proof for subset-sum, taken from [3] [The- 
orem 34.10]. The key observation is that, if we begin with a quantified version 
of 3-SAT, then we end up with an SSG. 

Subset-sum is NP-hard. We now give a summary of the NP-hardness proof 
given in [3] [Theorem 34.10]. We will describe the reduction using a worked ex- 
ample taken from [3]. Consider the following 3-CNF formula: 

4> = Ci A C 2 A C 3 A C 4 
C\ = (xi V ~^x 2 V -ix 3 ) 
C 2 = (->a;i V ~^x 2 V -ix 3 ) 
C 3 = {->xi V ^x 2 V x 3 ) 
C4 = (x\ Vi 2 V x 3 ) 

This formula has three variables, x\, x 2l and X3, and four clauses, C\ through 
C4. The reduction assumes that there is no clause Cj that contains both x% and 
->Xi, because otherwise Ci would be always be satisfied. 

The reduction constructs a subset-sum instance, which is described in the 
following table: 
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Each row should be read as a number written in decimal. For example, the first 
row specifies the number v\ — 1001001. The subset-sum instance asks whether 
there is a subset of rows v\ through s' 4 that sums to row t. 



The table is constructed according to the following rules. Each column is 
labelled: the first three columns are labelled by the variables x\ through xs, 
and the rest of the columns are labelled by the clauses C\ through C4. For each 
variable Xi we define two rows: 

— Vi has a 1 in column Xi, and a 1 in every column d that contains Xi. 

— v\ has a 1 in column Xi, and a 1 in every column d that contains -<Xi. 

In addition to these, for each clause (7, we define two slack rows: the row Sj has 
a 1 in column d, and the row s- has a 2 in column d- 

To see that this reduction works, suppose that we know a satisfying as- 
signment of the CNF formula. We can use this to construct a solution to the 
subset-sum instance. If Xi is true in the satisfying assignment, then we select Vi, 
and if it is false then we select v\. In doing so, we construct a subset with the 
following properties: 

— For each column Xi, we have that the sum of that column is 1, because we 
never select both Vi and v[. 

— For each column d, we have that the sum of that column is at least 1, 
because every clause must be satisfied. 

— For each column Cj, we have that the sum of that column is at most 3, 
because each clause contains exactly 3 variables. 

These properties ensure that, for each column d, we can always select a subset 
of the slack columns, Sj and s-, so that the sum of the column is 4. Thus, 
every satisfying assignment of the CNF formula corresponds to a solution of the 
subset-sum instance. 

For similar reasons, every solution of the subset-sum instance corresponds 
to a satisfying assignment of the CNF formula, by simply ignoring the slack 
rows. Since every column d must sum to 4, we know that after removing the 
slacks, each column must sum to at least 1. This, combined with the fact that 
Vi and v[ cannot be selected at the same time, implies that we have a satisfying 
assignment for the CNF formula. 

See [3] for a full proof correctness of the NP-hardness reduction. 

Changing the format. Our definition of an SSG requires a very specific format 
for the input instance. In particular, each quantifier is associated with exactly two 
natural numbers. However, the reduction that we have described can be written 
down very naturally as a one-player SSG, in which only the existential player is 
allowed to move. For our example, the instance is (VS-1S2SSS4, t), where: 

V = 3{v 1 ,v' 1 }3{v 2 ,v 2 }3{v 3 ,v' 3 }, 
S i = 3{s i ,0}3{s' i ,0}. 

Note that it is valid to force the choice between Vi and v[, because no solution 
of the subset-sum instance can contain both of these numbers. 



Subset-sum games are PSPACE-complete. It is now easy to reduce a quan- 
tified boolean formula to an SSG. We simply follow the existing reduction, but if 
variable Xi is universally quantified, then we use V{t>i,i^} rather than 3{i)j,i^}. 
For example, if we consider the quantified boolean formula Vxi3a;2Va;3 <j), where 
<p is defined as before, then we produce the quantified subset-sum instance 
(V'S^SaS^t), where: 

V = V{v 1 ,v[}3{v 2 ,v' 2 }V{v 3 ,v' 3 }, 

and Si is defined as before. The final step is to ensure a strict alternation of 
quantifiers, which the definition of an SSG requires. This can easily be achieved 
by inserting "dummy" quantifiers, where necessary. That is, we can insert 3{0, 0} 
between two consecutive V quantifiers, and we can insert V{0, 0} between two 
consecutive 3 quantifiers. This change obviously cannot affect the winner of the 
SSG. 

B Proof of Lemma 3 

Let S = (£, C, A, l ) be a 6-bounded counter-stack automaton. Without loss 
of generality, we will assume that b = 2 n — 1, which means that each counter 
in S is n bits wide. We will construct a bounded one-counter automaton B = 
(L', b' } A', l' Q ) that simulates S. We will refer to the counters of S as ci through 
Cfc, and the counter of B as c. 

We will follow the approach laid out at the start of Section 4. That is, we will 
set the bound b' = 2 k ' n — 1 so that c is k ■ n bits wide. We then partition these 
bits in order to implement the counters c\ through c^. The counter Ck will use 
the n most significant bits, the counter Ck-i will use the next n most significant 
bits, and so on. 

We introduce some notation to formalise this encoding. Let x £ [0, b] be a 
counter value for counter Cj. We define Enc(x, i) = x ■ 2( I ~ 1 )'™. To understand 
this definition, note that for i = 1, we have Enc(x,i) = x. Then, for i = 2, we 
have that Enc(x,i) is the value of x bit-shifted to the left n times. Thus, this 
definition simply translates x to the correct position in c. 

We can now define the translation. We will set L' = L and 1' = Z , which 
means that both automata have the same set of locations, and the same start 
location. We will use the transitions in A' to simulate S. For each transition 
t = (I, E, I, i?, I') E A, we construct a transition t' — (l,p,g\, g 2 , 1') £ A' between 
the same pair of locations. We want to have the following property: transition t 
can be used from a state (I, ci, c 2 , ■ ■ ■ , Cfe) in S if and only if transition t' can be 
used from the state (I, J2i Enc(cj, i)) in B. 

We begin by defining p. We set: 

p = Enc(/i, i) - Y Enc(E(i), i). 

In other words, for each counter i R that is not to be reset, we add Enc(/j, i) 
to c, which correctly adds Ii to a. Note that the boundedness assumption on 



S implies that the counters can never overflow due to this operation. For the 
counters i £ R, we subtract E(i) from a. Recall that E(i) must always be defined 
for the indices i £ R. Furthermore, the transition may only be taken if q = E(i). 
Thus, subtracting E(i) from a will correctly set it to 0. 

Next we define the inequality tests. Let j be the smallest index for which 
E(j) is defined. Our guards are: 

gi = ^Enc(£(i),i), 

i>j 

52 = J2 Enc(E(i), i) + Enc(l, j) - 1. 

i>j 

It is straightforward to show that, in our encoding scheme, we have c, = E(i) 
for all i > j if and only if g\ < c < g^. 

If we are given a target state s = (t, c\ , C2, . . . , c^) for 5, then we can translate 
it into a target state s' = (t, ^ Enc(ci, i)) for £>. The equivalence between the 
transitions in A, and the transitions in A' implies that s can be reached from 
(lo, 0, 0, . . . , 0) if and only if s' can be reached from (1' , 0). This completes the 
proof of Lemma 3. 

C Proof of Lemma 5 

Let s = (si, S2, ■ ■ ■ , s n ) be a winning strategy for the existential player. We define 
a sequential winning strategy as follows. Recall that Plays(s) contains exactly 2" 
plays. We argue that these plays can be ordered so that they form a sequential 
strategy. We give an iterative procedure that achieves this task: the first step 
of the procedure will ensure that the 1-blocks contain the correct plays, the 
second step will ensure that the 2-blocks contain the correct plays, and so on. 
In the first step, we observe that exactly 2™ _1 of the plays contain A\, while 
exactly 2™ _1 of the plays contain B\, so we can order the plays so that the even 
1-block contains all plays containing A\. Now suppose that we have found the 
i-blocks. We observe that each i-block L has exactly 2™~( 4+1 ) plays that contain 
A i+ i. Therefore, for each i-block L, we can order the plays in L so that the even 
(i + l)-block has all plays that contain A i+ i, and the odd (i + l)-block has all 
plays that contain B i+1 . At the end of this procedure, we will have a list of plays 
S = Pi, P2, . . . , -P2" where: 

— Pj contains Ai whenever j is in an even i-block. 

— Pj contains Bi whenever j is in an odd i-block. 

So S satisfies the first two conditions of Definition 4. We argue that S also 
satisfies the third condition. Let L be an i-block. By definition, for every j < i, 
there is a unique j-block that contains L. These blocks define a play prefix 
F £ IIi<j<i{Ai, Bi}, and, for each play Pj with j £ L, we have F C Pj. Since 
S is a reordering of Plays(s), we must have Si(F) £ Pj for every j £ L. Hence, 



S satisfies Definition 4. Moreover, since s is winning, we have that every play in 
Plays(s) is winning, and therefore S is a sequential winning strategy. 

Now let S = Pi, P2, ■ ■ ■ , -P2™ be a winning sequential strategy. We give a high 
level description of a winning strategy for the SSG. At the start of the strategy 
we set L = [1,2™]. In each round i of the game, let Di g {A i} Bi} be the decision 
made by the universal player. We select Li to be the unique i-block in such 
that Di G Pj for all j G Li. We play Ei if Ei G Pj for all j G Li, and we play 
Fi if Fi G Pj for all j G Li. It is straightforward to encode this strategy in the 
form s = (si, S2, ■ ■ ■ , s n ). By construction, when we play s, the outcome of the 
game will be some play Pj from S. Since every play Pj in S is winning for the 
existential player, we have that s is a winning strategy. 

D Proof of Lemma 6 

Let R be a run in A n . The following lemma describes the set of reset states that 
each segment of R must pass through. 

Lemma 11. Let R be a run in A n . Either: 

— Rj visits precisely the reset locations jr-,?^} for which j mod 2 n ~ l — 0, or 

— Rj gets stuck. 

Proof. We will prove this lemma by induction over i. The base case, where 
i = n, is trivial because j mod 2™~™ is always equal to 0, and it is clear from the 
construction that every segment Rj must always visit both r' n and r n . 

For the inductive step, suppose that the lemma has been shown for i + 1, 
and will show that the lemma holds for i. We know that, in order to reach r\ or 
ri, a segment must first visit r' i+1 . By the inductive hypothesis, we know that 
only segments Rj with j mod 2™ - ( 4+1 ) visit r i+ i. At the start of R, we have 
Oi — bi — 0. On the first visit to rj+i, we clearly cannot take the transition 
to r'i, because we have di + b t = 2 n ~( l+1 \ and the transition to r- requires 
ai + bi = 2™ _ \ Thus, we either have to take the transition to m, or we get stuck. 
On the second visit to rj+i, we cannot take the transition to ui, because we 
have ai + bi — 2 n ~ l , and the transition to m requires ai + bi = 2 n ~ t - t+1 > . Thus, 
either we get stuck, or we take the transition to r\. The transition between r i+ i 
and r\ resets ai and bi. Thus, we can repeat the argument, and conclude that 
locations r\ and are only visited by segments Rj where j mod 2"~ l = 0. □ 

Having shown Lemma 11 it is now easy to prove Lemma 6. Let R be a run 
of A n - For the counters ai and bi, we have the following facts: 

— At the start of the first i-block, we have = bi =0. 

— Each i-block contains exactly 2™~* segments. Each segment must increment 
one of ai or bi, but not both. 

— At the end of each odd i-block, we must take the transition from r t to ui to 
avoid getting stuck. This transition requires ai = 2 n ~ l and bi = 0. 



— At the end of each even i-block, we must take the transition from rj to r' i _ 1 
to avoid getting stuck. This transition requires a, = 2 n ~ % and bi — 2 n ~ l , and 
resets <Xj and bi to 0. 

These facts imply that otj must be incremented during every run in an odd i- 
block to prevent the automaton getting stuck, and bi must be incremented during 
every run in an even i-block to prevent the automaton getting stuck. It can also 
be verified that, if otj is incremented during every run in an odd i-block, and bi is 
incremented during every run in an even i-block, then the automaton will never 
get stuck at r^. 

Similarly, for the counters ej and /, we have the following facts. 

— At the start of the first i-block, we have ei = fi = 0. 

— Each i-block contains exactly 2™~ 4 runs. Each run must increment one of e, 
or fi, but not both. 

— At the end of each i-block, we must take one of the two transitions from r[ 
to Ti to avoid getting stuck. These transitions require that a = 2 n ~ l and 
fi = 0, or e t = and /; = 2""\ 

These facts imply that either is incremented during every run in an i-block, or 
fi is incremented during every run in an i-block, or the automaton will get stuck 
when moving from r[ to rj at end of the i-block. It can also be verified that, if 
the automaton increases e, during every run in an i-block, then the automaton 
will not get stuck moving from r[ to r j , and if the automaton increases fi during 
every run in an i-block, then the automaton will not get stuck moving from r[ 

to n. 

Note that, in An, it is only possible for R to get stuck at the locations r\ and 
rj. Therefore, we have shown that R does not get stuck if and only if the three 
conditions of Lemma 6 hold for R. 

E Proof of Lemma 7 

This lemma follows from Lemma 11. Let R be a run. Lemma 11 implies that the 
transition from Ti to r' i _ 1 is taken in every segment Rj such that j mod 2™~(*~ 1 ). 
This transition resets both and bi to 0. Therefore, neither of these counters 
may exceed 2 n ~( l ~ 1 \ Similarly, Lemma 11 implies that every segment Rj such 
that j mod 2"~ l = must move from r[ to rj. Both of the transitions from 
between r- and rj reset ej and /j, and therefore neither of these counters may 
exceed 2™~\ 



